360405 – Crash on exit: Related to QtHelp plugin [DocumentationView::changedProvider]

Bug 360405 - Crash on exit: Related to QtHelp plugin [DocumentationView::changedProvider]

Summary: Crash on exit: Related to QtHelp plugin [DocumentationView::changedProvider]

Status:	RESOLVED FIXED

Alias:	None

Product:	kdevelop
Classification:	Applications
Component:	Documentation viewer (other bugs)
Version First Reported In:	unspecified
Platform:	Other Linux

Importance:	NOR crash
Target Milestone:	5.0.0
Assignee:	kdevelop-bugs-null

URL:
Keywords:	junior-jobs

Depends on:
Blocks:

Reported:	2016-03-11 11:11 UTC by Kevin Funk
Modified:	2016-07-13 06:57 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:	http://commits.kde.org/kdevplatform/9167b7d2c814d4b17f7adc27e045868af30caa6c
Version Fixed In:	5.0.0
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Kevin Funk 2016-03-11 11:11:44 UTC

==6618==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060018d2090 at pc 0x7facfcdb2b2d bp 0x7ffd8e935c30 sp 0x7ffd8e935c28
READ of size 8 at 0x6060018d2090 thread T0
    #0 0x7facfcdb2b2c in DocumentationView::changedProvider(int) /home/kfunk/devel/src/kf5/kdevplatform-stable/documentation/documentationview.cpp:238:41
    #1 0x7facfcdb307c in DocumentationView::emptyHistory() /home/kfunk/devel/src/kf5/kdevplatform-stable/documentation/documentationview.cpp:202:9
    #2 0x7facfcddfc7d in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (DocumentationView::*)()>::call(void (DocumentationView::*)(), DocumentationView*, void**) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:501:13
    #3 0x7facfcddf801 in void QtPrivate::FunctionPointer<void (DocumentationView::*)()>::call<QtPrivate::List<>, void>(void (DocumentationView::*)(), DocumentationView*, void**) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:520:13
    #4 0x7facfcddef2b in QtPrivate::QSlotObject<void (DocumentationView::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobject_impl.h:143:17
    #5 0x7fad00b03e1e in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b4e1e)
    #6 0x7facfcde9ed6 in ProvidersModel::providersChanged() /home/kfunk/devel/build/kf5/kdevplatform-stable/documentation/moc_documentationview.cpp:281:5
    #7 0x7facfcdb802a in ProvidersModel::removeProviders(QList<KDevelop::IDocumentationProvider*> const&) /home/kfunk/devel/src/kf5/kdevplatform-stable/documentation/documentationview.cpp:295:10
    #8 0x7facfcdb6786 in ProvidersModel::unloaded(KDevelop::IPlugin*) /home/kfunk/devel/src/kf5/kdevplatform-stable/documentation/documentationview.cpp:302:9
    #9 0x7facfcdd638c in QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<KDevelop::IPlugin*>, void, void (ProvidersModel::*)(KDevelop::IPlugin*)>::call(void (ProvidersModel::*)(KDevelop::IPlugin*), ProvidersModel*, void**) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:501:14
    #10 0x7facfcdd5e81 in void QtPrivate::FunctionPointer<void (ProvidersModel::*)(KDevelop::IPlugin*)>::call<QtPrivate::List<KDevelop::IPlugin*>, void>(void (ProvidersModel::*)(KDevelop::IPlugin*), ProvidersModel*, void**) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:520:13
    #11 0x7facfcdd55ab in QtPrivate::QSlotObject<void (ProvidersModel::*)(KDevelop::IPlugin*), QtPrivate::List<KDevelop::IPlugin*>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobject_impl.h:143:17
    #12 0x7fad00b03e1e in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b4e1e)
    #13 0x7fad02d34beb in KDevelop::IPluginController::unloadingPlugin(KDevelop::IPlugin*) /home/kfunk/devel/build/kf5/kdevplatform-stable/interfaces/moc_iplugincontroller.cpp:238:5
    #14 0x7fad038f7990 in KDevelop::PluginController::unloadPlugin(KDevelop::IPlugin*, KDevelop::PluginController::PluginDeletion) /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/plugincontroller.cpp:424:10
    #15 0x7fad038f7177 in KDevelop::PluginController::cleanup() /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/plugincontroller.cpp:321:9
    #16 0x7fad039746b8 in KDevelop::Core::cleanup() /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/core.cpp:446:9
    #17 0x7fad03972da0 in KDevelop::Core::shutdown() /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/core.cpp:409:9
    #18 0x7fad0386ef25 in KDevelop::MainWindow::~MainWindow() /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/mainwindow.cpp:154:9
    #19 0x7fad0386f1aa in KDevelop::MainWindow::~MainWindow() /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/mainwindow.cpp:151:1
    #20 0x7fad0386fa73 in KDevelop::MainWindow::~MainWindow() /home/kfunk/devel/src/kf5/kdevplatform-stable/shell/mainwindow.cpp:151:1
    #21 0x7fad00b04e8f in QObject::event(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b5e8f)
    #22 0x7fad0140acda in QWidget::event(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x19dcda)
    #23 0x7fad01520d5a in QMainWindow::event(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x2b3d5a)
    #24 0x7fad02534931 in KMainWindow::event(QEvent*) /home/kfunk/devel/src/kf5/kxmlgui/src/kmainwindow.cpp:867:25
    #25 0x7fad0257de59 in KXmlGuiWindow::event(QEvent*) /home/kfunk/devel/src/kf5/kxmlgui/src/kxmlguiwindow.cpp:118:29
    #26 0x7fad013c805b in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b05b)
    #27 0x7fad013cd515 in QApplication::notify(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x160515)
    #28 0x7fad00ad55ba in QCoreApplication::notifyInternal(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2865ba)
    #29 0x7fad00ad79b5 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2889b5)
    #30 0x7fad00b2b642  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2dc642)
    #31 0x7facf79f5126 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a126)
    #32 0x7facf79f537f  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a37f)
    #33 0x7facf79f542b in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a42b)
    #34 0x7fad00b2ba4e in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2dca4e)
    #35 0x7fad00ad2d79 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x283d79)
    #36 0x7fad00adae1b in QCoreApplication::exec() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x28be1b)
    #37 0x503869 in main /home/kfunk/devel/src/kf5/kdevelop-stable/app/main.cpp:671:12
    #38 0x7facff5db9ff in __libc_start_main /build/glibc-uCRKup/glibc-2.21/csu/libc-start.c:289
    #39 0x43c128 in _start (/home/kfunk/devel/install/kf5-stable/bin/kdevelop+0x43c128)

0x6060018d2090 is located 16 bytes inside of 56-byte region [0x6060018d2080,0x6060018d20b8)
freed by thread T0 here:
    #0 0x4e2b82 in operator delete(void*) (/home/kfunk/devel/install/kf5-stable/bin/kdevelop+0x4e2b82)
    #1 0x7facc5a66c93 in QtHelpQtDoc::~QtHelpQtDoc() /home/kfunk/devel/build/kf5/kdevelop-stable/documentation/qthelp/../../../../../src/kf5/kdevelop-stable/documentation/qthelp/qthelpqtdoc.h:26:7
    #2 0x7fad00b024fa in QObjectPrivate::deleteChildren() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b34fa)

previously allocated by thread T0 here:
    #0 0x4e25c2 in operator new(unsigned long) (/home/kfunk/devel/install/kf5-stable/bin/kdevelop+0x4e25c2)
    #1 0x7facc5a37dac in QtHelpPlugin::loadQtDocumentation(bool) /home/kfunk/devel/src/kf5/kdevelop-stable/documentation/qthelp/qthelpplugin.cpp:76:19
    #2 0x7facc5a37dac in QtHelpPlugin::readConfig() /home/kfunk/devel/src/kf5/kdevelop-stable/documentation/qthelp/qthelpplugin.cpp:65
    #3 0x7facc5a650e0 in QtHelpPlugin::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/kfunk/devel/build/kf5/kdevelop-stable/documentation/qthelp/moc_qthelpplugin.cpp:78:17
    #4 0x7fad00b04e70 in QObject::event(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b5e70)
    #5 0x7fad013c805b in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b05b)

SUMMARY: AddressSanitizer: heap-use-after-free /home/kfunk/devel/src/kf5/kdevplatform-stable/documentation/documentationview.cpp:238 DocumentationView::changedProvider(int)
Shadow bytes around the buggy address:
  0x0c0c803123c0: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
  0x0c0c803123d0: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa
  0x0c0c803123e0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c803123f0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80312400: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0c80312410: fd fd[fd]fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c80312420: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c80312430: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c80312440: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c80312450: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c80312460: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6618==ABORTING


Reproducible: Sometimes

Comment 1 Kevin Funk 2016-03-11 16:38:09 UTC

This happens every time now. (I think it's related to the fact there's another documentation viewer installed now (PHP docs)). Turning into a release blocker.

Comment 2 Aleix Pol 2016-06-14 11:38:15 UTC

Can't reproduce and so can't Kevin. Removing the release blocker status.

Comment 3 Kevin Funk 2016-07-13 06:57:18 UTC

Git commit 9167b7d2c814d4b17f7adc27e045868af30caa6c by Kevin Funk.
Committed on 13/07/2016 at 00:36.
Pushed by kfunk into branch '5.0'.

PluginController::allPluginsForExtension: Return set

Make sure we return a unique set here, otherwise this may confuse the
documentation controller (and probably other places as well).

Scenario: Multiple plugins with the same plugin id in QT_PLUGIN_PATH
(for whatever reason). In this case PluginController::allPluginsForExtension would return
the same IPlugin instance for each of the available plugins => bogus.

This caused a crash on exit in the documentation component for me, since I
had multiple versions of kdevqthelp.so in QT_PLUGIN_PATH, and KDevelop
created bogus entries in the providers list of the documentation
controller. Crash is fixed with this patch.
FIXED-IN: 5.0.0

M  +2    -1    shell/plugincontroller.cpp

http://commits.kde.org/kdevplatform/9167b7d2c814d4b17f7adc27e045868af30caa6c